2. 程式人生 > >freeradius 802.1X EAP-PEAP 認證失敗問題的解決

freeradius 802.1X EAP-PEAP 認證失敗問題的解決

阿新 發佈:2019-02-10

    使用freeradius 2.1.12版本測試 EAP-PEAP認證過程中,總是無法認證成功,檢視相關的LOG顯示, EAP-TLS 和 TUNNEL都已經完成,但是在mschapv2過程中出現報錯,

經過檢查 default檔案中eap和sql相關的配置都配置沒有問題;進一步分析LOG,報錯位置在 Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel,因此

重點分析 inner-tunnel 檔案,發現 server inner-tunnel 項下 sql 模組並未放開,從而導致認真過程中無法查到對應的使用者。將sql模組放開,再次測試可以成功認證了。

附radius LOG:

        NAS-Identifier = "Quidway"

NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b252182413cfe24d5a185fce21670
EAP-Message = 0x02ca00061900
Message-Authenticator = 0x0af65760553e31c79b9723cd74ce955d
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 202 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 90 to 192.168.1.1 port 1812
EAP-Message = 0x01cb002b190017030100208f5f2856e0d38769c25a80f99b6e8769ab6248a090d042536582634939f5d312
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x878b252181403cfe24d5a185fce21670
Finished request 20.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=91, length=278
User-Name = "wyw"
NAS-Port = 196708
Service-Type = Framed-User
Framed-Protocol = 4294967295
Calling-Station-Id = "C42C-0338-BE22"
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b252181403cfe24d5a185fce21670
EAP-Message = 0x02cb002b190017030100209736b1d515854cf8078894adcd353f9b5c27380bd9a79cbca97515a2f5e34518
Message-Authenticator = 0x2acacf7a967b7b5c370896f75004c58d
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 203 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - wyw
[peap] Got inner identity 'wyw'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
EAP-Message = 0x02cb000801777977
server  {
[peap] Setting User-Name to wyw
Sending tunneled request
EAP-Message = 0x02cb000801777977
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "wyw"
server inner-tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 203 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x01cc001d1a01cc00181085a9ab78319049545bed0ff5fe07293c777977
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03a77cf3036b6607e9508ac9687cba29
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x01cc001d1a01cc00181085a9ab78319049545bed0ff5fe07293c777977
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x03a77cf3036b6607e9508ac9687cba29
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 91 to 192.168.1.1 port 1812
EAP-Message = 0x01cc003b19001703010030a6be5436fa853a6f715e74f502eef9bcc414e4c1e2f491f3122577b61201b3211f7ca0aa31c23ba34e1fcebc76342622
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x878b252180473cfe24d5a185fce21670
Finished request 21.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=92, length=326
User-Name = "wyw"
NAS-Port = 196708
Service-Type = Framed-User
Framed-Protocol = 4294967295
Calling-Station-Id = "C42C-0338-BE22"
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b252180473cfe24d5a185fce21670
EAP-Message = 0x02cc005b1900170301005017477f31595d6a842d698f0a447f929c0c3f7686e4e78706e3c328cf412a7f2cc64c59680093a1ffe1219560e1f24e93dfa60b56ca1bdf44fc5355322b267547d2360080e57295accccf7f7691cd9698
Message-Authenticator = 0xa3923431814672b2cf8e350cae8c0564
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 204 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
EAP-Message = 0x02cc003e1a02cc003931149dd01dfbc8493a54453622855a78580000000000000000e135e4999721a41a3fe80a2e4532d9e00c676963a596a14800777977
server  {
[peap] Setting User-Name to wyw
Sending tunneled request
EAP-Message = 0x02cc003e1a02cc003931149dd01dfbc8493a54453622855a78580000000000000000e135e4999721a41a3fe80a2e4532d9e00c676963a596a14800777977
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "wyw"
State = 0x03a77cf3036b6607e9508ac9687cba29
server inner-tunnel {
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 204 length 62
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: wyw
[mschap] Client is using MS-CHAPv2 for wyw, we need NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect

++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
MS-CHAP-Error = "\314E=691 R=1"
EAP-Message = 0x04cc0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
MS-CHAP-Error = "\314E=691 R=1"
EAP-Message = 0x04cc0004
Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 92 to 192.168.1.1 port 1812
EAP-Message = 0x01cd002b19001703010020993478f9be023a7ee7a29d6b3c044c46d0db59828f7d4df179e1ffecbd7c8707
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x878b25218f463cfe24d5a185fce21670
Finished request 22.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 1812, id=93, length=278
User-Name = "wyw"
NAS-Port = 196708
Service-Type = Framed-User
Framed-Protocol = 4294967295
Calling-Station-Id = "C42C-0338-BE22"
NAS-Identifier = "Quidway"
NAS-Port-Type = Ethernet
NAS-Port-Id = "slot=0;subslot=0;port=48;vlanid=100"
State = 0x878b25218f463cfe24d5a185fce21670
EAP-Message = 0x02cd002b19001703010020d91727067896ae944ad11027b8046af0edea010e7dca7787fb220fe6ef715e43
Message-Authenticator = 0xa502ea6d3f33af69dd18a9fca2e08f26
Login-IP-Host = 0.0.0.0
Huawei-Startup-Stamp = 1361362410
Huawei-IPHost-Addr = "255.255.255.255 c4:2c:03:38:be:22"
Huawei-Connect-ID = 192
Huawei-Version = "Huawei S9300"
Huawei-Product-ID = "S9300"
NAS-IP-Address = 192.168.1.1
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[suffix] No '@' in User-Name = "wyw", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 205 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> wyw
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 23 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 23
Sending Access-Reject of id 93 to 192.168.1.1 port 1812
EAP-Message = 0x04cd0004
Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 3.8 seconds.

相關推薦

freeradius 802.1X EAP-PEAP 認證失敗問題的解決

    使用freeradius 2.1.12版本測試 EAP-PEAP認證過程中,總是無法認證成功,檢視相關的LOG顯示, EAP-TLS 和 TUNNEL都已經完成,但是在mschapv2過程中出現報錯, 經過檢查 default檔案中eap和sql相關的配置都配置沒有

專案經驗——svn認證失敗解決方案

今天從svndown程式碼的時候發現出現了svn驗證失敗的問題:   第一次遇到這樣的問題,不過解決起來還是非常簡單的,主要的原因還是這個兩個專案的許可權是不一樣,但是我們在輸入使用者名稱和密碼的時候往往選擇了儲存這個許可權,如下圖:   這樣就會導致一旦出現專案許可權變更,

Win7環境下如何開啟802.1X 無線網路認證

我現在在的大學有兩種校園無線網可以用,一種基於網頁認證,輸入使用者名稱和密碼就可以,還一種是基於802.1X認證。我來了之後一直用的是第一種,但最近這個網頁認證不太穩定,經常刷不出登陸頁面,於是我想要用第二種認證。經過一番搜尋,我發現對於Win7環境(其它windows環境

CentOS配置Google 動態認證,以及認證失敗解決辦法

大家好,為了能夠和有疑問的同行者及時溝通,我建立了一個群:615870353,我會免費更新行業資訊,並回復大家提出的各種行業問題。 問題: 現在要求遠端登入到伺服器時,需要增加一個Google的動態

資料庫(基礎)-Password認證失敗解決

一 外部命令介紹 命令 命令功能 -d 連線資料庫 -U 連線使用者 -f 執行指令碼 -L 日誌檔案 認證失敗: 失敗原因及解決辦法: 根據提示可以知道認證失敗

FreeRadius+Cisco交換機+Windows AD實現802.1X認證

inpu onf its 配置 add ima using emctl 下一步 (一)概述本文檔描述了如何設置FreeRadius服務器,以便對windows客戶端網絡用戶透明的對ActiveDirectory進行身份驗證。 1.1、原理:FrReRADIUS通過基於端口的

WINDOWS7 下 xclient 802.1x 客戶端 停止運行的解決辦法

802.1x 修改 計算機 啟用 cli rdquo 基本 客戶 客戶端 昨天下午,由於FOXMAIL 出現問題,修改了一個地方,導致xclient 停止運行。具體解決辦法如下:右擊“計算機”-進入“系統屬性”-->&l

FreeRadius + Daloradius + Ubuntu Server 實現的無線802.1x的radius驗證

freeradius daloradius radius opensource 介紹FreeRadius 是目前開源應用中使用最廣泛的軟件。它支持目前普遍使用的各種驗證協議,服務器是運行在PHP為基礎的web平臺上提供一種叫dialupadmin的用戶管理工具。它為近500家企業提供了AAA訪

使用sourceTree向碼雲提交代碼時 push 錯誤 (或認證失敗解決辦法

ack nbsp 隱藏 重新 img 打開文件 alt asi pos 如果出現push不進去或者使用命令push認證失敗時,很可能是你密碼有誤或者用戶沖突,解決辦法如下: 1.進入目錄,找到文件後先備份一下 註意:appData可能隱藏了,若是隱藏,先讓其顯示

華為 Controller-Campus之802.1X有線認證

Controller-Campus Controller-Campus配置步驟第一步、下載安裝第二步、配置Controller-Campus第三步、配置交換機radius-server template rd1 #創建RADIUS服務器模板名稱rd1radius-server authentication 1

PostgreSQL遠程連接配置管理/賬號密碼分配(解決:致命錯誤: 用戶 "postgres" Ident 認證失敗

切換用戶 pri reject bsp 拒絕 linu 創建用戶 code psql 問題:致命錯誤: 用戶 "postgres" Ident 認證失敗 說明:這個是由於沒有配置遠程訪問且認證方式沒改造成的,只需要更改使用賬號密碼認證即可。 解決:找到pg_hba.co

H3C 交換機 和windows NPS結合實現內網802.1X認證

NPS\802.1x環境介紹: windows server 2012 NPS 承擔Radius Server 角色 Radius Client 設備型號 H3C S3100V2 由於802.1x 端口控制方式有兩種,一種是基於接口的接入控制方式(PortBased),一種是基於Mac的接入控制方式(M

華為AC配置802.1X認證

dot1x<AC6005>system-view [AC6005]vlan batch 10 to 14[AC6005]int vlan 10 [AC6005-Vlanif10]ip address 192.168.10.254 24[AC6005-Vlanif10]quit[AC6005]cap

自學Aruba7.3-Aruba安全認證-802.1x認證(web頁面配置)

配置 col htm 點擊 命名 頁面 com tar .html 點擊返回:自學Aruba之路 自學Aruba7.3-Aruba安全認證-802.1x認證(web頁面配置) 步驟1 建立AP Group,命名為test-group自學Aruba7.3-Aruba安全認證-

java使用“使用者名稱+密碼”連線mongodb,認證失敗的問題解決

專案中,使用java“使用者名稱+密碼”連線mongodb,一直認證失敗! MongoClient mongoClient = new MongoClient(HOST, PORT); DB db = mongoClient.getDB(DB_NAME); // 認證失敗auth=false

webstorm git時認證失敗(Authentication failed )的解決

目前呢  公司專案管理用的GitLab,前段時間基於自家伺服器沒準備好,域名還在申請等問題,用的託管伺服器及IP地址,後來來了個遷移,呃呃呃~ 然後不管是pull還是push 都失敗啦 開始呢 ,報錯一直401,顯示沒許可權,無奈之下,安裝了sourceTree,通過sourceTree提交和拉取

Ubuntu輸入su提示認證失敗解決方法

轉載請註明出處:http://blog.csdn.net/feibendexiaoma/article/details/73739364 在終端中輸入su切換時,輸入密碼提示認證失敗,因為root使用者預設是被鎖定的,不允許登入,那麼怎麼設定可用呢 (1)終端輸入 sudo pass

su root 認證失敗如何解決

剛開始安裝虛擬機器作業系統時,可能會遇到su root認證失敗的情況,這是因為root沒有初始化,初始化的步驟如下:ctr+Alt+T開啟終端,然後輸入sudo passwd(不是password) root,之後會提示Enter new UNIX password: 輸入新密碼,然後提示

linux下的freeradius802.1x)伺服器搭建總結

1.下載壓縮包 http://freeradius.org https://www.samba.org/ftp/talloc/talloc-2.17.tar.gz  下載的壓縮包的名字為: talloc-2.1.7.tar.gz 和freeradius-server-3.0

TFS(Visual Studio Team Services) Git認證失敗 authentication fails 的解決方案

TFS git認證配置 TFS2015 visual studio中使用正常,可是git bash執行失敗,提示 authentication fails。這是由於windows驗證方式,在git中的識別問題。git自帶有credential.helper,預設為manager,需要設定system與glob